I have a pair of IoT Edge modules, one which saves data and one which uploads data. I would like to encrypt the data while it is at rest on the device.
There are many ways I could go about encrypting this data, but I would like to know what the most idiomatic way to do this within an Azure IoT Edge module is.
I know that the secure daemon uses the TPM for a few things, and all of our devices have TPM 2.0 chips, we're using the TPM endorsement keys with the DPS.
I'm wondering if there's a way for the secure daemon to encrypt generic blobs of data for us using the TPM, or if we are expected to try to communicate with the TPM from inside the container somehow to do this?
More Info:
This is the secure daemon: https://github.com/Azure/iotedge/tree/master/edgelet it is an iot edge specific component which acts as a bootstrapper to fire up the iot edge agent module which then fires up the other modules. the daemon runs under systemd and all other modules are docker containers as described here https://learn.microsoft.com/en-us/azure/iot-edge/about-iot-edge
The runtime is described as "Maintains Azure IoT Edge security standards on the device." so I was wondering if there was some kind of easy way to just give it some data to encrypt, and have that encrypted.
Since the secure daemon is already interfacing with the TPM for device registration etc. I was wondering if there was some way to ask the secure daemon to encrypt data, or if there was some other idiomatic solution specific to the iot edge runtime.
My Question has been answered here https://github.com/Azure/iotedge/issues/60
The idiomatic way to encrypt/decrypt data in an iot edge module at the moment seems to be to communicate with the daemon via a unix socket (see env var IOTEDGE_WORKLOADURI)
Related
I am having trouble figuring out how to connect a downstream device to my IoT Central application. There is sample code showing how to do it using symmetric keys, but I am interested in using x509 certificate (https://learn.microsoft.com/en-us/azure/iot-central/core/how-to-connect-iot-edge-transparent-gateway#provision-a-downstream-device). I've tried using the code in the EdgeX509AuthDownstreamDevice sample, but I am not sure what to put for the IOTHUB_HOSTNAME environment variable since IoT Central doesn't expose the IoT Hub. Has anyone gotten this to work?
The variables used are misleading. You don't see the IoTHUB connection string. Below, just replace the device shared key and it should work:
export IOTHUB_DEVICE_CONNECTION_STRING="HostName=edgegateway;DeviceId=thermostat1;SharedAccessKey={your device shared key}"
How can an IoT device which connects to an IoT Hub using the Azure IoT Hub SDK retrieve larger amounts of sensitive data which is part of the device configuration?
I know i can use Device Twins as configuration documents per Device, but those are limited to 8K in total.
I need larger amounts of data in binary format to be transfered to the device when i a device - for example - gets reset to factory defaults or somehow loses it's local storage as part of a hardware fault.
I was thinking about using a D2C method triggering a request which results in a series of C2D or direct method calls to the requesting device transmitting the information in question (basically mimiking request/response behavior). However this feels like a workaround.
My other thought was about transmitting urls to a storage account as part of the device twin properties allowing the device to download the binary information using the Storage SDK, however given the sensitive nature of the information downloaded i can't directly expose this information to the internet using a public accessible container in Azure Storage.
So my last thought was to access a REST API which controls access to the information. However my concern is, that i break out of the secure communication channel, the IoT Hub SDK provides with it's build in communication methods and i have to secure the communication between device and the REST API using some kind of rotating secret anyway which could expose other risks along with a complicated custom implementation.
What is the suggested way of providing access to this kind of device-specific data for Azure IoT Clients?
I do recommend to use a new feature (still in the preview) of the Azure IoT Hub such as a Device Streams.
You can test this new preview feature using my updated tool Azure IoT Hub Tester (see Appendix A2)
Is there a way to send data to a device in Azure IoT Hub using a shared key without first generating a SAS token? The reason I am trying to do this is because I want to send events via a web hook without writing code for it. The device is connected to our system and we're trying to use our web hooks functionality which can relay an event to a HTTP endpoint with preconfigured headers and format but it can't execute the code to get a temporary SAS token.
Alternatively can I make a SAS token that never expires?
Ended up using Azure IoT Central + the Azure IoT Central Bridge. The IoT Bridge is an Azure function where you put some JS code to convert your message to a format that IoT Central understands and then it deals with the tokens and eventual device registration. This is not an exact answer to the question since IoT Central is not exactly IoT Hub (it is a portal over it) but it turns out it works well enough for our case. Also I think the codebase of the IoT Bridge can be used with the IoT Hub if one wants to dig enough through it. Maybe this solution can serve someone else.
I am currently thinking about a solution where an IoT device would have more than one possible endpoint to talk to. Like an API for some calls that do not concern telemetry or device twin data.
The connection to the IoT Hub can be secured very well (we will use certificates), and I want to awoid adding a different way of authentication to the architecture.
So my idea right now would be to have a back-end service generate device specific SAS tokens for my APIs, possibly on-demand if requested by the device.
The Cloud-to-device communications guidance mentions configuration data, so it feels like a good way to go. Would it be safe to write these tokens in the desired properties? Would it be safer to use the payload of a cloud-to-device-message? Or should it be done completely differently?
You can create a custom cloud service as a token service that uses an IoT Hub shared access policy with DeviceConnect permissions to create device-scoped tokens.
For more detailed information you can reference "Custom device authentication".
Can the Azure IoT hub identify the spoofing of identity during the registration process
Assume a new IoT device is joining the IoT hub which is showing the spoofed MAC id to the IoT hub.
Will the Azure IoT hub detect that the device uses spoofed identity.
The Azure IoT Hub Identity Registry is what manages devices identities. You can read some literature about it here.
When it comes to authenticating devices, IoT Hub offers several options that are detailed here.
In a nutshell you have 3 ways to provision a device with unique identity and credentials: using a connection string with a unique ID and Key (which allows to compute a SAS Token on the device), using a SAS Token (which you would have to create offline), or using an X-509 certificate.
The only way a device could try and spoof an identity would be if someone was able to retrieve these unique id and credentials from a legit device or some other source, reason why we strongly recommend leveraging secure storage solutions on the device to not allow for the device credentials to be stolen and reused.
If a device tries to connect using valid credentials already used by another device, then the first device will be disconnected, but beyond this, you can (and it is recommended) to implement some security strategy such as rolling secure keys regularly. These strategies depend on your scenario, device type, the way you plan to provision the devices... IoT Hub gives you the tools to implement what fits your needs.